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A Method For Preventing Key *Sliai c Attacks 



This invention relates to cryptographic systems and in particular, to improvements m 
key agreement protocols tor preventing key-shaie attacks thcieon. 

BACKGROUND OF HIE INVENTION 



Key establishment is the process by which two (or more) entities establish a shared 
secret key. 

10 The key is subsequently used to achieve some cryptographic goal, such as 

confidentiality or data integrity. Ideally, the established key should have precisely the same 
attributes as a key established face-to-face it should be distributed uniformly at random from 
the key space, and no unauthorized (and computationally bounded) entity should learn 
anything about the key. 

15 Broadly speaking, there are two kinds of key establishment protocols: key transport 

protocols in which a key is created by one entity and securely transmitted to (he second 
entity, anil key agreement protocols in which both parties contribute information which 
jointly establish the shared secret key. 

Let A and B be two honest entities, i.e., legitimate entities who execute the steps of a 

20 protocol correctly. Informally speaking, a key agreement protocol is said to provide implicit 
key authentication (of B to A) if entity A is assured that no other entity aside from u 
specifically identified second entity B can possibly learn the value of a particular secict key 
Note that the property of implicit key authentication does not necessarily mean that A is 
assured of B actually possessing the key. A key agreement protocol which provides implicit 

25 key authentication to both participating entities is called an authenticated key agreement 
(AK) protocol. 

Informally speaking, a key agreement protocol is said to provide explicit key 
confirmation (of B to A) if entity A is assured that the second entity B has actually computed 
the agreed key. The protocol provides implicit key confirmation if A is assured that B can 
30 compute the agreed key. While explicit key confirmation appears to provide stronger 

assurances to A than implicit key confirmation (in particular, (he former implies the latter), it 
is possible that, for all practical purposes, the assurances arc in fact the same. This is because 
B may delete the key immediately after the explicit key confirmation process. 
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irbolh implicit key authentication and (implicit or explicit) key confirmation (ofH to 
A) ate provided, then the key establishment protocol is said to provide explicit key 
authentication (ofH to A), A key agi cement protocol which piovides explicit key 
authentication to both participating entities is called an authenticated key agiccmcnl with key 
5 confirmation (AKC) protocol. 

An unknown key-shaie (UKS) attack on an AK or AKC protocol is an attack 
whereby an entity A is coerced into sharing a key with an entity B without A's knowledge, 
i.e., when A believes the key is shared with some entity E * B . Notice that if an AK or AKC 
protocol succumbs to a UKS attack, then this does not contradict the implicit key 

10 authentication property of the protocol. F3y definition, the provision of implicit key 

authentication is only considered in the case where A engages m the protocol with an honest 
entity (which 12 isn't). 

The station-to-station (STS) protocol is a Diffie-Hellman-based AKC protocol that 
purports to provide both (mutual) implicit key authentication and (mutual) key confirmation, 

1 5 and additionally appears to possess desirable security attributes such as forward secrecy and 
key-compromise impersonation. There arc two main variants of STS as described m W. 
Diffie et ah, "Authentication and authenticated key exchanges' 1 , Designs, Codes and 
Cryptography, 2 (1992) 107-125. One in which key confirmation is provided by using the 
agreed key K in a MAC algorithm (STS-MAC), and another in which K is used in an 

20 encryption scheme (STS-ENC). STS-MAC is preferred over STS-LINC in many practical 
scenarios. Moreover, the use of encryption to provide key confirmation in STS-ENC is 
suspect - the goal of an encryption scheme is to provide confidentiality, rather than as an 
authentication mechanism for proving possession of a key. One advantage of STS-HNC over 
STS-MAC is that the former can facilitate the provision of anonymity. 

25 Many protocols related to STS have appeared in the literature. It should be noted, 

however, that tiiese protocols cannot be considered minor variants ofS IS. 

For the sake of clarity, notation used in the specification, is initially outlined as 
follows: 



30 A, B Honest entities. 

E The adversary. 

S A A's (private) signing key for a signature scheme S. 

P A A's (public) verification key for S. 

S A (M) A's signature on message M. 
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Cc\i A A's ccitificalc containing A's name, A's public signature key PA, and possibly 

sonic other infotmation. 
H K (M) Hnctyption of* M using a syinincd ic-kcy encryption scheme with key K 

MACk(M) Message authentication code ofM mulct key K. 
5 g, a, n Diffie-Ilclhnan parameters; a is an element of prime order // m the finite 

group (/. 

r A A's eplicmcial Diffic-Hellman private key; 1 < r { < // - 1 . 

K Rphcmeial Diffie-IIcllman shared secret, K = a'*'" 



10 The two STS valiants arc piescnted below. In both descriptions, A is called the initiator, 
while B is called the tcsponder. 

Tj STS-MAC piotocol 

;P The STS-MAC protocols is depicted below. Initiator A selects a iandom secret integer i A , 

|: 15 l < r 4 < „ -1, and sends to 13 the message (1). Upon receiving ( 1 ), B selects a random secret 
pi integci r„,l < / „ < n - 1 , computes the shared scctct K = a''* , and sends message (2) to A 

M Upon receiving (2), A uses Ceit B to veiify the authenticity of B's signing key P B , verifies B's 

m signatutc on the message (a' B ,a r ' ), computes the shated secret K, and verifies the MAC or 

n S„(ci r '\a r< ) A then sends message (3) to 13 Upon icccipt of(3), B uses Ccn A to verify the 

" 20 authenticity of A's signing key PA, verifies A's signature on the message (a'\ a'" ) and 

verifies the MAC on S B (a'\a rP ) . If at any stage a check or verification performed by A 

or B fails, then that entity terminates the protocol urn, and rejects. 

(!)✓!->« A, a' A 

25 (2) A<-B Ccx\n,<*'\{S B {a"',a' A ),hlAC k {S H (a r \a rA )\ 

(3) A->n Ccrt A . S 4 (tr r \a"),MAC k {S,ia'\a"')) 

STS-ENC: protocol 

The STS-ENC piotocol is given below. For the sake of brevity, the checks that should be 
30 performed by A and B are henceforth omitted. 
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(1) A -> If A, tr tA 



(2) A <- « Ccrtn, a'\ E K (S B {a r \ a rA )) 

(3) /!->« Cetl A , (^,(^' V")) 

5 in oidcr lo moic cleat ly uiuleistaiul an unknown kcy-shaic (UKS) attack on a key 

agreement protocol, we consider a hypothetical scenario wheic a UKS attack can have 
damaging consequences. Suppose that A is a bank branch and 13 is an account holdct. 
Certificates ate issued by the bank headquarters and within each certificate is the account 
intimation of the holder. Suppose thai the protocol for electronic deposit of funds is to 

10 exchange a key with a bank branch via an AKC protocol. At the conclusion of the protocol 
tun, enctypted funds arc deposited to the account number in the certificate Suppose that no 
fuithci authentication is done in the encrypted deposit message (which might be the case to 
save bandwidth). If the UKS attack mentioned above is successfully launched then the 
deposit will be made to E's account instead of B's account. 

15 ]t is important to observe that a UKS attack on an AKC ptotocol is a much moic 

set ions consideration than a UKS attack on an AK protocol (which does not provide key 
confirmation). 

No key agtced in an AK piotocol should be used without key confumation indeed, 
some standards take the conservative approach of mandating key confirmation of keys agreed 
20 in an AK protocol. If appropriate key confirmation is subsequently provided, then the 

attempt at a UKS attack will be detected. For this reason, the above hypothetical scenario (in 
particular, the assumption that no further authentication is performed after termination of the 
key agreement piotocol) is realistic if an AKC protocol is used (since key confirmation has 
already been provided), and unrealistic ifan AK protocol is used (since key confumation lias 

25 not yet been provided). 

In a UKS attack against the rcspondcr, the adversary E registers A's public key PA as 
its own; i.e., P r = P A . When A sends B message (1), E intercepts it and replaces the identity A 
with E. E then passes message (2) from B to A unchanged. Finally E intercepts message (3), 
and replaces Cert A with Cert L . Since P A = P E , we have S A (a'\a ril ) = S r (a'\a'*). Hence, B 

30 accepts the key K and believes that K is shared with E, while in fact it is shared with A. 

Note that E does not learn the value ofK. The attack is depicted below. The notation /!!--> B 
means that A transmitted a message intended for B, which was intercepted by the adversary 
and not delivered to B. 
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(1) A\-> H A,a' 4 

(V) E n i*:,a ,A 

(2) E*-1l Ceil,,, ^.^(cr^^^^AMC'.OV^^,^' 4 )) 
5 (2') Cert,,, a'\S n (a rIt f a rA ) 9 MA(\{S fi (u'\a rA )) 

(3) /*!-> B CcrtA, S,(tf'^ M M//fC A 

(3') Ccil A> .V,(a^,a M )^///C A ( i S , ,(r/ f/ \^ M )) 

Flntity H can similarly launch a UKS attack against the initiator A by icgisleimg H's 
10 public key PL* as its own. The attack is depicted below. 

(1) A~>E A y a 9 * 
(V) E->B A,a rA 

(2) A<r-\li Ccil», a^^V^^^^^^AA-ir^.V^^'",^' 1 )) 
15 (2') .4<~£ Ceitt-, ^^^^^^UMfJiVa'*^' 1 )) 

(3) A->E Ccil Af ^^(^^^/"^.A/^Q.f.V^a^',^^)) 
(3') /T->7? Ccrt A , ^(ff' fl ,a r,, ),ilWf A 

In describing new on-line UKS attacks we make the following assumptions. Fust, \\c 
20 assume that the signature scheme S used in STS has the following duplicate-signature kc\, 
selection property. Suppose that P A (A f s public key), and A's signature sA on a message M 
ate known. Then the advetsaiy is able to select a key pair (IV; Sj ) with icspect to which s A is 
also E's signature on the message M. 

Second, E is able to get its public key certified during a run of the S TS piotocoi This 
25 assumption is plausible, for instance, in situations wheie delays in the transmission of 
messages are normal, and where the CA is on-line. 

This new UKS attack against the responder is similar to the public key substitution 
attack against the responder as described earlier. After A sends message (3), E intcicepts it 
and selects a key pair (IV;,SrO for the employed signatuie scheme such that 
30 S E (a r \a rB ) = S A (a r \a rti ) . E then obtains a certificate Certt for IV, and transmits message 
(3') to R. 
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1 his new UKS attack against the initiator is similar to the public key substitution 
attack against the initiator dcsci ibed above. After B sends message (2), R intercepts it and 
selects a key paii (PE; SE) for (he employed signaUuc scheme such thai S ( 
5 S f {a r \<r r< ) = S 8 (a rB ,a rA ). E then obtains a certificate Cert K for V\ , and transmits 
message (2') lo A. 

In the on-line UKS attacks, the adversary knows the private key SE cot responding to 
its chosen public key P E . Hence, unlike the case of public key substitution attacks, the on- 
line attacks cannot be prevented by requiting that entities prove to the certificate-issuing 
1 0 authority possession of the private keys corresponding to their public keys din ing the 
certification process. 

The applicants have discovered that the STS protocols have some security attributes 
that are lacking- It is, thus desirable to implement a STS protocol wherein unknown kcy- 
shaic attacks arc minimized. 

15 

SUMMARY OF THE INVENTION 

According to a general aspect of the invention there is provided in a key agreement 
protocol the steps of including the identities of the sender and intended receiver as well as a 
flow number in the message being signed to thereby prevent an on-line UKS attack 
2() According to one aspect of the invention, there is provided in an STS-MAC protocol, 

including one of the entities A sending its certificate Cert A in a first flow to thereby minimize 
an on-line UKS attack against a rcsponder B. 

According to a further aspect of the invention, there is provided the step of implicit, 
rather than explicit, key confirmation. 
25 A still further aspect of the invention provides for including the identities of the 

entities in the key derivation function, rather than the signed message. 

A further feature of the invention provides for the application thereof to S'l S-ENC 
and STS-MAC protocols. 

30 BRIEF DESCRIPTION OF THE DRAWINGS 

These and other features of the preferred embodiments of the invention will become 
more apparent in the following detailed description in which reference is made to the 
appended drawings wherein: 
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Figure 1 is a schematic diagram of a data communication system. 

Din 'All, ED DESCRIPTION OP A PREFERRED EMHOI MMEN \ 

Referring to figure 1, an electronic communication system 10 includes a pair of 
con cspondents, A and 13, designated as a sender 12 and recipient 14, connected by a 
communication channel 16. Each of (he correspondents 12 and 14 includes an enctypUon 
unit 18 and 20 rcspecfively that may process information and prcpaic it for transmission 
through (he channel 16. A third entity 22 is depicted as the adversary. 

In a key establishment/agreement protocol, according to the embodiment of the 
present invention, the following flow of messages take place between the entities: 
hem 1. 

(1) A-*E A, a' 4 

{!) A<r-B Ceitu, a\S n {2Ji,A,a r \a r{ )^iAC K {S 8 {2J^A,a\a rA )) 

(3)// -> 1! Ccil A , S,(XA,B f a rA ,a'*),hfAC\ (S ,(3, AJl,a r \a rB )) 

In the original STS-MAC protocol described in the background section and the 
modification presented above, the agreed key K is used as the MAC key for the purpose of 
pioviding explicit key confirmation. A passive adversary now has some mfonnation about K, 
namely the MAC of a known message under K. 'The adversary can use lhts to distinguish K 
from a key selected uniformly at random from the key space 1. The key space here is 
K = [a' : 1 <i < n - \ ). Another drawback of providing explicit key confirmation in this way 
is that the agreed key K may be subsequently used with a different cryptographic primitive 
than the MAC' algorithm j this violates a fundamental cryptographic principle that a key 
should not be used for more than one purpose. 

Two ways of achieving implicit, rather than explicit, key confirmation arc ; 

(i) derive two keys A' j| A" = JI(a tA ' B ) fiom the same shared secret (here, H is a 
cryptographic hash function); and 

(ii) derive two keys A" - II t (a rArB )m\<i K = U 2 {a r4rfi ) where H, and H 2 are 
independent random oiaclcs 2 . 
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A' is used as the MAC key for (lie session, while K is used as the agreed session key. i lie 
revised protocol is depieted below. 

5 Item 2. 

(1) A - > E A,a' A 

(2) A <- tt Ccilu, a\S\(2Jl,A,a r \a rA ),AIAC\.(S B (2Ji,A 9 a'\a' A )) 

(3) /f -> Ccrt A , ^(3,/IJ^^^a r ^ ^ A//(Q.( t V, ^ (3 ^ /I,/? ^ ^^r/')) 

10 Instead of including the identities of the entities in the signed message, one could 

include them in the key derivation function, whose purpose is to derive the shared key from 
the shared secret a tAtB . In the protocol of item L the shared secret key would he 
A' - H(a rA,n 'AJi), while in the two protocols of item 2, the shared keys would he 
K || A" = H{a rA ^A y B) and (ii) K' = //, (a rAr8 ' /I, B) and A" = H 2 {a rAr *'A,B) 

15 However, key derivation functions have not been well-studied by the cryptographic 

community the desirable properties of a key derivation function have not yet been specified. 
Hence the protocols presented in items 1. and 2. are prcfened over the variants which include 
identities in the key derivation function. 

The protocols in item 2 provide implicit key confirmation. While the assurance that 

20 the other entity has actually computed the shared key K is not provided, each entity does 
get the assurance that the other has computed the shared secret a rAtB . Implicit key 
confirmation is still provided (to a somewhat lesser degree) if the MACs arc not included 
in the flows. The revised protocol is shown below: 
Item 3. 

25 (!)/!->« A,a r4 

(2) A <- B Cert B ,a'* 9 S B (2,B,A 9 a'\a' A ) 

(3) A~>B Cert AJ S A {3,A 9 B,a rA ,a'*) 

The on-line UKS attacks cannot be launched on STS-ENC because the signatures 
30 S A {a rA ,a' n ) and S B {a r \a rA ) are not known by the adversary. However, as a precautionary 
measure, we recommend that STS-ENC be modified so that the now number and identities of 
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the sender and intended tceipient be included in the signed messages or that the identities be 
included in the key dciivation function above. 

Although the invention has been described with tefeiencc to ceitam specific 
embodiments, vatious modifications thcicof will be appaient to those skilled in the ait 
without departing from the spint and scope of the invention as outlined in the chums 
appended hereto. For example, the items arc described with respect to the STS-M AC they 
can equally well be defined with respect to the STS-ENC. Furthermore, they can be utilized 
over other groups such as elliptic curve groups. 



